Another major fraud using payment cards
The November 2015 article described the situation with a relatively new type of fraud, with which criminals stole money from bank accounts: Hackers invented a new money theft scheme, stealing 250 million rubles . How exactly the fraud happened, briefly:
The offender received a payment card, replenished it and immediately removed the money made at an ATM, requesting a check. The transaction data was then sent to an accomplice who had access to infected POS terminals. Through the terminals, according to the code of operation, cancellation of cash withdrawal was formed. As a result, the card balance was instantly restored and the “attacker” money appeared in the account of the attacker. The criminals repeated these actions many times until cash came to an end in ATMs, modifying their scheme after the banks corrected the error. At that time several court cases were opened in relation to the guilty, the “money mules” were from London, Ukraine, Latvia and Lithuania.
However, now there is news about a very similar situation, including the names of the affected companies. The amount of damage this time is almost twice as much - about half a billion rubles.
')
In August 2015, scammers or their accomplices, using MasterCard cards issued by Kuznetsky Bank, withdrew 470 million rubles from ATMs of other banks. The fraudsters used the ODP payment system, which then included more than 200 banks and which allowed them to withdraw cash at lower rates. UCS is the operational and payment clearing center of the LFS.
Usually fraudsters make 5-10 approaches to an ATM, each time removing the maximum possible amount (200,000 rubles, 40 bills with a face value of 5,000 rubles). The peculiarity of this case is that during the day more than 3,000 such operations were done, and the total amount reached almost 470 million rubles. Judging by the amount and number of operations, the fraudsters had to empty more than 200 ATMs belonging to different banks in a short time. Manually performing such a number of payment cancellation operations is impossible even physically, so one can confidently assert that it was not the employee who acted, but hackers who had previously obtained access to the bank's infrastructure.
The situation is very similar to that described earlier; this is the “cancel transaction” attack: the fraudster, using the card of the issuing bank, withdraws cash from an ATM. Immediately after this, the fraudster's accomplice sends to the payment system a request to cancel the operation. “Due to the cancellation of the operation, the amount on the card account does not change, so fraudsters can repeat this two-way over and over until they get bored,” says Dmitry Kuznetsov, director for methodology and standardization at Positive Technologies. “The issuer will have a debt to the acquirer an amount equal to the amount of cash withdrawn. "
When the fraudsters withdrew the first hundred thousand rubles, the balance available on the issuer's correspondent account decreased by this amount, and after the cancellation of the operation it recovered, although the issuer had actual debt to the acquirer by a hundred thousand. With each of the following fraudulent transactions, the balance on the correspondent account either decreased or was restored.
The court indicated that transactions in the ODP payment system are carried out in accordance with the MasterCard rules, and, according to them, only the acquiring bank (i.e., the ATM) has the right to cancel the transaction in real time, and the issuing bank (in our case, “Kuznetsky”) could cancel the operation only after seven calendar days. But the defendant UCS, despite this, conducted a cancellation operation on behalf of Kuznetsky.
“According to our information, investigative actions are being carried out on criminal cases that have not yet been completed,” said a representative of the ORS NGO.
According to unconfirmed information, the first arrests in this case took place in the autumn.
It follows from the materials that immediately after the incident, the LFS paid banks, from whose ATMs they stole money, 470 million rubles, and the lawsuit against UCS was filed on November 2, 2015. According to a person close to one of the parties, Kuznetsky could not compensate damage to banks, since it did not have such funds, for the LFS it was more a matter of reputation.
Compensate for the harm must offender. If hackers are not caught, then there is no one to compensate for the harm. If they are caught, they still don’t have that kind of money, - Dmitry Kuznetsov argues - the damage is compensated by the one who, according to the results of the court proceedings, turned out to be “stronger than wrong”.
Total: the Moscow court charged RUB 470 million from the UCS processing company, finding that it was the fault of the fraudsters who stole these funds from Kuznetsky Bank because UCS violated the terms of the contract.
Based on Habrahabr , Vedomosti .
The offender received a payment card, replenished it and immediately removed the money made at an ATM, requesting a check. The transaction data was then sent to an accomplice who had access to infected POS terminals. Through the terminals, according to the code of operation, cancellation of cash withdrawal was formed. As a result, the card balance was instantly restored and the “attacker” money appeared in the account of the attacker. The criminals repeated these actions many times until cash came to an end in ATMs, modifying their scheme after the banks corrected the error. At that time several court cases were opened in relation to the guilty, the “money mules” were from London, Ukraine, Latvia and Lithuania.
However, now there is news about a very similar situation, including the names of the affected companies. The amount of damage this time is almost twice as much - about half a billion rubles.
')
PJSC "Bank" Kuznetsky "
PJSC “Bank“ Kuznetsky ”is a small regional bank in terms of assets, the only credit institution registered in the Penza Region. The key areas of activity are servicing and lending to corporate clients, attracting public funds to deposits and lending to individuals. The main source of financing for the bank’s activities is deposits of individuals (55.7%). The bank’s network is represented by its head office in Penza, 20 additional offices, four operating cash desks outside the cash office and three operating offices. The entire network of the bank, except for two operating offices in Samara and the Republic of Chuvashia, is located and operates in the Penza region. The number of bank staff on April 1, 2016 was 350 people. The network of own devices has 45 ATMs and 114 terminals. Information from Banki.ru .
In August 2015, scammers or their accomplices, using MasterCard cards issued by Kuznetsky Bank, withdrew 470 million rubles from ATMs of other banks. The fraudsters used the ODP payment system, which then included more than 200 banks and which allowed them to withdraw cash at lower rates. UCS is the operational and payment clearing center of the LFS.
Usually fraudsters make 5-10 approaches to an ATM, each time removing the maximum possible amount (200,000 rubles, 40 bills with a face value of 5,000 rubles). The peculiarity of this case is that during the day more than 3,000 such operations were done, and the total amount reached almost 470 million rubles. Judging by the amount and number of operations, the fraudsters had to empty more than 200 ATMs belonging to different banks in a short time. Manually performing such a number of payment cancellation operations is impossible even physically, so one can confidently assert that it was not the employee who acted, but hackers who had previously obtained access to the bank's infrastructure.
The situation is very similar to that described earlier; this is the “cancel transaction” attack: the fraudster, using the card of the issuing bank, withdraws cash from an ATM. Immediately after this, the fraudster's accomplice sends to the payment system a request to cancel the operation. “Due to the cancellation of the operation, the amount on the card account does not change, so fraudsters can repeat this two-way over and over until they get bored,” says Dmitry Kuznetsov, director for methodology and standardization at Positive Technologies. “The issuer will have a debt to the acquirer an amount equal to the amount of cash withdrawn. "
When the fraudsters withdrew the first hundred thousand rubles, the balance available on the issuer's correspondent account decreased by this amount, and after the cancellation of the operation it recovered, although the issuer had actual debt to the acquirer by a hundred thousand. With each of the following fraudulent transactions, the balance on the correspondent account either decreased or was restored.
The court indicated that transactions in the ODP payment system are carried out in accordance with the MasterCard rules, and, according to them, only the acquiring bank (i.e., the ATM) has the right to cancel the transaction in real time, and the issuing bank (in our case, “Kuznetsky”) could cancel the operation only after seven calendar days. But the defendant UCS, despite this, conducted a cancellation operation on behalf of Kuznetsky.
“According to our information, investigative actions are being carried out on criminal cases that have not yet been completed,” said a representative of the ORS NGO.
According to unconfirmed information, the first arrests in this case took place in the autumn.
It follows from the materials that immediately after the incident, the LFS paid banks, from whose ATMs they stole money, 470 million rubles, and the lawsuit against UCS was filed on November 2, 2015. According to a person close to one of the parties, Kuznetsky could not compensate damage to banks, since it did not have such funds, for the LFS it was more a matter of reputation.
Compensate for the harm must offender. If hackers are not caught, then there is no one to compensate for the harm. If they are caught, they still don’t have that kind of money, - Dmitry Kuznetsov argues - the damage is compensated by the one who, according to the results of the court proceedings, turned out to be “stronger than wrong”.
Total: the Moscow court charged RUB 470 million from the UCS processing company, finding that it was the fault of the fraudsters who stole these funds from Kuznetsky Bank because UCS violated the terms of the contract.
Based on Habrahabr , Vedomosti .
Source: https://habr.com/ru/post/302836/
All Articles